Embodiments of the present invention provide a method, system and computer program product for the heuristic malware detection. In one embodiment of the invention, a heuristic malware detection method can include merging a baseline inventory of file attributes for respective files from each client computing system in a community of client computing systems into a merged inventory. The method further can include receiving an updated inventory of file attributes in a current inventory survey from different ones of the client computing systems. Each received survey can be compared to the merged inventory, and in response to the comparison, a deviant pattern of file attribute changes can be detected in at least one survey for a corresponding client computing system. Thereafter, the deviant pattern can be classified as one of a benign event or a malware attack. Finally, malware removal can be requested in the corresponding client computing system if the deviant pattern is classified as a malware attack.